Impact
The vulnerability is an improper neutralization of special elements used in an SQL command that allows a blind SQL injection attack against the WordPress Listdom plugin. An attacker could manipulate the SQL query that the plugin constructs, retrieving, modifying, or deleting database contents. Because the injection is blind, an attacker may not see immediate error messages but can infer information through timing or error-based responses, enabling data exfiltration or full database compromise.
Affected Systems
Webilia Inc. provides the Listdom WordPress plugin, versions up to and including 5.4.0 are affected. Any installation of Listdom 5.4.0 or earlier is vulnerable; the official remedy is to update to version 5.5.0 or newer.
Risk and Exploitability
The CVSS score of 9.3 indicates a critical severity. The EPSS score is not available, so no quantified exploitation probability is published, but the lack of KEV listing suggests no publicly known exploitation yet. The likely attack vector is through a public WordPress site that hosts the plugin, where an attacker may send malicious input to the plugin’s HTTP endpoints. Based on the description, it is inferred that the exploitation requires sending crafted requests containing special characters that are not properly escaped, possibly from an authenticated or unauthenticated context, and relies on the plugin’s blind query execution.
OpenCVE Enrichment